CVE-2024-1725

CWE-5016 documents5 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 65.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Kubevirt/csi-driver Redhat Openshift Container Platform Redhat Openshift Container Platform FOR Arm64 +3 more

Timeline

PublishedMar 7

Latest updateMar 13

Description

A flaw was found in the kubevirt-csi component of OpenShift Virtualization's Hosted Control Plane (HCP). This issue could allow an authenticated attacker to gain access to the root HCP worker node's volume by creating a custom Persistent Volume that matches the name of a worker node.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶Gogithub.com/kubevirt/csi-driver< 0.0.0-202403081943-cc28dcbb0afc14

Also affects: Openshift Container Platform 4.13, 4.14, 4.15

🔴Vulnerability Details

OSV

kubevirt-csi: PersistentVolume allows access to HCP's root node in github.com/kubevirt/csi-driver↗2025-03-13

▶

CVEList

Kubevirt-csi: persistentvolume allows access to hcp's root node↗2024-03-07

▶

GHSA

kubevirt-csi: PersistentVolume allows access to HCP's root node↗2024-03-07

▶

OSV

kubevirt-csi: PersistentVolume allows access to HCP's root node↗2024-03-07

▶

📋Vendor Advisories

Red Hat

kubevirt-csi: PersistentVolume allows access to HCP's root node↗2024-03-06

▶